The Underground Company That Hacks iPhones For Ordinary Consumers

Screen Shot 2021-02-24 at 3

Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.

“Activation Lock,” a message displayed across the iPhone’s screen read. “This iPhone is linked to an Apple ID. Enter the Apple ID and password that were used to set up this iPhone.”

This lock essentially turns iPhones into very expensive paperweights until the owner enters the requested credentials. The feature is designed to stop anyone else from using the phone if it’s lost, or thieves from making money by reselling a stolen device. In part, Activation Lock is intended to make iPhones less attractive to thieves because stolen devices can’t be used.

Now, an underground group is offering people a way to strip that lock from certain iPhones with its pay-for-hacking service. iOS security experts suspect it is being used to remove protections from stolen iPhones. The hacking group called Checkm8.info offering the service, which lifts its name from a popular free-to-use jailbreak, insists its tool cannot be used by thieves.

“Our goal is the ability to repair electronics as it’s the key to saving resources, tackling e-waste and environmental damage,” the administrator of Checkm8.info told Motherboard in an email. Motherboard has previously written about how criminals have used phishing emails to grab necessary login credentials to remove the Activation Lock. Checkm8.info provides a much easier method, and appears to streamline what is ordinarily a complicated process into one that non-technical users can follow. Checkm8.info is correct in that Activation Lock can be frustrating to iPhone repair professionals, electronic waste facilities, and refurbishers, and has caused many perfectly good phones obtained through legal means to be shredded or destroyed. A user of the Checkm8.info site told Motherboard they used the service as part of their legal phone reselling business.

Do you have more information on criminals using Activation Lock bypass tools? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Under the hood, Checkm8.info is using checkra1n, a jailbreaking tool released in 2019. Checkra1n uses an exploit called checkm8 written by the developer known as Axi0mX.

“I don’t like it, but I don’t know what I can do about it,” Axi0mX said in an online chat about the checkm8.info service. “Either way I don’t support the practice and neither does the checkra1n jailbreak and checkra1n team.”

Checkm8.info only works for devices running iOS versions 12 to 14.8.1, according to checkm8.info’s website. That’s because checkm8 only works on older iPhones devices, up to the iPhone X, as it exploits an older version of the iPhone’s bootrom, the first code that an iPhone runs when it turns on. Newer iPhones have updated bootrom code that is not vulnerable to checkm8.

Activation Lock is enabled on an Apple device when the user sets up Find My, the Apple service that lets people track the location of their iPhone, Mac, or Apple Watch. After that, anyone who wants to erase or reactivate the device—something that would be vital for resellers—needs to enter the relevant Apple ID password. 

A video on checkm8.info’s website shows how simple the process of using the checkm8.info tool is. A user downloads the software, installs it, opens it up, then plugs in their target device to their Mac or PC.

“Get ready for the jailbreak!” the video’s female narrator says at one point. The video then shows the checkra1n jailbreak running on a device.

Ordinarily, if a user was running the checkra1n jailbreak themselves, that would be the end of the process. But checkm8,info, in its mission to co-opt a free piece of software and turn a profit, then asks users to buy a license to complete the hack. The site charges $69.99 per license, according to the video. In Motherboard’s own tests, the price has been reduced and the organization now asks for a payment of $49.99.

“Done! You have successfully bypassed iCloud activation lock on your device,” the narrator adds. 

The administrator told Motherboard in an email that they sell 30 to 150 licenses per month, which works out to $2,100 to $10,500.

Checkm8.info has a couple of apparent competitors that offer similar services too, such as Minacriss and iRemoval PRO. A post in the Telegram channel of iRemoval PRO mentions use of the checkm8 exploit too. 

Checkm8.info also offers a service that it describes as “Bypass iPhone Passcode.” However this service is not a tool similar to established iPhone unlocking services such as Cellebrite and GrayShift, though. “This service restores the device to factory settings and activates it as a new device using a saved activation ticket from the system.  So basically this method has nothing with brute forcing or user data leak. Passcode phrase is a common name used by other tools for this service so we decided to give it the same name,” the checkm8.info administrator told Motherboard.

Checkm8.info also offers a reseller program where vendors can sign up to buy checkm8.info licenses in bulk, perhaps for their own at scale unlocking service.

Kevin Flash runs a company called SellLocked which buys iPhones that have Activation Lock. For example, SellLocked.com offers $25 for a good condition iPhone X with Activation Lock, according to a quote generated by the site. Flash told Motherboard in a Facebook message he uses checkm8.info to remove the lock and then resells the now working phone. He said once a phone has Activation Lock enabled and a person can’t remove it for whatever reason, “so many Apple products become literal garbage other than a few key parts.” 

“The waste is just astronomical,” he added. In one Facebook post, Flash said he had used checkm8.info on 30 iPhone Xs.

OkemoZurs, a collector of Apple devices, told Motherboard he has used a similar service to checkm8.info successfully. “I’ve actually used something using the same technique as it on some iCloud locked [Activation Lock] devices before,” he said.

Users in checkm8.info’s Discord server claim they want to use the tool for things like removing the lock on a device they bought.

“I want to bypass activation lock on a MacBook air 2019 that I bought from an old man for my young brother. Can I run perfectly checkm8 service application on a virtual machine as I only have a Linux based pc,” one user posted in the checkm8.info Discord server in March.

Motherboard tested the checkm8.info service with a T-Mobile phone that had been reported as stolen. The checkm8.info tool successfully jailbroke the target device, but the portion of the program responsible for bypassing Activation Lock crashed multiple times. This may be because the process requires cellphone signal to complete, and T-Mobile had blocked the phone from receiving or sending messages. The process was very quick however, and could reasonably take place before a victim manages to report their phone as stolen.

A developer of the checkra1n jailbreak told Motherboard that “I believe there are 2 types of users who look for this kind of a service though: (1) Those who actually steal the phones because they know they can temporarily unlock them and put them up for sale and (2) Users that been scammed and bought a stolen device that either came locked or been locked later on.”

The checkm8.info administrator added “I personally consider Apple is too strict with their vendor lock policy. If you check the Apple niche forums on the web, there are tons of claims by users who got their accounts locked for many different reasons and are not able to regain access to them or not able to recover lost passwords for their accounts.”

People in the jailbreaking and iPhone security research community are convinced the service is for illegal purposes—to unlock stolen iPhones. Axi0mX, the developer of the checkm8 exploit, told Motherboard in an online chat that services that bypass the Activation Lock would be useful to unlock stolen phones. 

“I’m disappointed to see that (for most of them) the checkera1n [sic] team’s efforts were abused to provide such services,” a security researcher who specializes in hacking iOS, who asked to remain anonymous as he wasn’t authorized to speak to the press, told Motherboard. “I am just an enthusiastic checkra1n user. What I find upsetting is that people are using a research tool to make software that will likely aid the iPhone theft industry—and the fact that they’re making money off freely released work.”

The checkm8.info administrator behind checkm8.info said that the service does not cover stolen devices. They said the service uses an API from the GSMA, the trade body for the wireless industry, to check whether a device has been “blacklisted,” which can mean the device was lost or stolen. This is an additional protection on top of Apple’s own Activation Lock. Network carriers and repair companies use this API to check for that stolen status.

“Protect your reputation by reducing the likelihood of accepting stolen or lost devices,” the GSMA’s website reads in a section describing how the Device Check service can be used by device recyclers.

The administrator of checkm8.info claimed they used the GSMA tool to spot stolen devices and block them from using the jailbreak.

“We decline such devices as well in our system,” they wrote in an email.

That API would only work if the victim reported their device as stolen, however. After a consumer reports their device stolen, their operator then marks the IMEI—a unique identifying code—as belonging to a stolen device. But if a consumer does not self-report the phone as stolen, there may still be a window for a thief to deploy the checkm8.info against a phone that only had Activation Lock enabled.

GSMA declined to speak on the record. T-Mobile told Motherboard it reports stolen devices to the GSMA database.

At least some Apple employees are aware of Checkm8.info’s service. A Product Security employee at Apple follows the group on Twitter. Twitter briefly suspended checkm8.info’s account in April but the account is back online at the time of writing. 

Apple declined to comment.

UPDATE, 1:45 p.m. ET: A previous version of this story stated that the jailbreaking tool Checkra1n is open source. But it is in fact not open source.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.

READ MORE HERE